A Chinese threat actor with the same strain of malware was observed targeting both European diplomatic institutions and the Tibetan Group.
The threat actor, tracked as APT TA413 and previously affiliated with LuckyCat and ExileRAT malware, has been involved for almost a decade, and is believed to be responsible for a multitude of attacks targeting the Tibetan population.
In a report published on Wednesday, security researchers from Proofpoint revealed a connexion between COVID-19-themed attacks impersonating the World Health Organization (WHO) to deliver the “Sepulcher” malware to economic , diplomatic and legislative entities in Europe and attacks on the Tibetan community that delivered malware and ExileRAT linked to LuckyCat.
In addition, a July campaign targeting Tibetan dissidents attempted to deliver the same Sepulcher malware from the same infrastructure, with some of the email addresses previously used in ExileRAT attacks, indicating that both campaigns were the work of TA413.
“Although best known for their campaigns against the Tibetan diaspora, this APT community affiliated with the Chinese state interest prioritised intelligence gathering around Western economies reeling from COVID-19 in March 2020, before resuming more traditional targeting later this year,” states Proofpoint.
The March campaign aimed to exploit a Microsoft Equation Editor vulnerability to deliver the previously undisclosed Sepulcher malware, targeting European diplomatic and legislative institutions and economic relations and non-profit organisations.
The July campaign employed a malicious PowerPoint (PPSX) attachment designed to drop the same malware, and Proofpoint linked it to a January 2019 campaign using the same form of attachments to infect victims with the malware ExileRAT.
The reuse of the same email addresses was what linked these attacks, Proofpoint shows, strongly indicating that a single threat actor was behind both campaigns. Multiple opponents’ use of a single email address over the course of many years is impossible, the researchers conclude.
“While multiple APT groups cannot use a single operator account (sender address) in separate campaigns against distinct goals, it is unlikely. It is furthermore doubtful that this sender reuse will occur twice in a four-month cycle between March and July after several years, with both instances delivering the same family of malware from Sepulcher, “says Proofpoint.
Security researchers suspect that the global recession may have caused the attackers to reuse resources, and that after re-tasking, some OPSEC errors began to occur.
Infected host can be recognised by the Sepulcher malware, supports reverse command shell, and read and write from / to file. It can collect information about drives, files , folders, running processes , and services based on the received commands, can control directories and files, transfer file source to destination, terminate processes, restart and uninstall services, and more.
“The use of COVID-19 lures in espionage campaigns by Chinese APT groups during the first half of 2020 was a growing pattern in the threat landscape. However, following an initial urgency in intelligence gathering around Western global economies’ health in response to the COVID-19 pandemic, a return to normalcy has been observed in both TA413 campaign goals and decoy material,” states Proofpoint.